diff --git a/pom.xml b/pom.xml
index 15851ec3b..ace58b581 100644
--- a/pom.xml
+++ b/pom.xml
@@ -146,6 +146,7 @@
1.4.5
1.5.2
+ 1.0.2
@@ -248,6 +249,11 @@
jruby
9.3.6.0
+
+ io.github.pixee
+ java-security-toolkit-xstream
+ ${versions.java-security-toolkit-xstream}
+
@@ -393,6 +399,10 @@
rest-assured
test
+
+ io.github.pixee
+ java-security-toolkit-xstream
+
diff --git a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
index ad1a91cc4..cb3062fc0 100644
--- a/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/VulnerableComponentsLesson.java
@@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.vulnerablecomponents;
import com.thoughtworks.xstream.XStream;
+import io.github.pixee.security.xstream.HardeningConverter;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
import org.owasp.webgoat.container.assignments.AssignmentHints;
@@ -39,6 +40,7 @@ public class VulnerableComponentsLesson extends AssignmentEndpoint {
@PostMapping("/VulnerableComponents/attack1")
public @ResponseBody AttackResult completed(@RequestParam String payload) {
XStream xstream = new XStream();
+ xstream.registerConverter(new HardeningConverter());
xstream.setClassLoader(Contact.class.getClassLoader());
xstream.alias("contact", ContactImpl.class);
xstream.ignoreUnknownElements();